История страницы

1

Set the DSCP code global value for the use in IP headers of RADIUS server egress packets (optional).

esr(config)# radius-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global number of re-requests to the last active RADIUS server (optional).

esr(config)# radius-server retransmit <COUNT>

<COUNT> – amount of iterative requests to RADIUS server, takes values of [1..10].

Default value: 1.

3

Set the global value of the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config)# radius-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

4

Add RADIUS server to the list of used servers and switch to its configuration mode.

esr(config)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]
esr(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of  [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

5

Specify the number of failed authentication attempts to block the user login and time of the lock (optional).

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in seconds, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

6

Set the password for authentication on remote RADIUS server.

esr(config-radius-server)# key ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

7

Set the priority for using a remote RADIUS server (optional).

esr(config-radius-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set the interval after which the router assumes that the RADIUS server is not available (optional).

esr(config-radius-server)# timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: global timer value is used.

9

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted RADIUS packets.

esr(config-radius-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

<IF> – interface specified in form given in the Types and naming procedure of router interfaces section of CLI command reference guide.

<TUN> – tunnel name specified in form given in the Types and naming procedure of router tunnels section.

11

Set radius as authentication method.

esr(config)# aaa authentication login { default | <NAME> } <METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

12

Set radius as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

13

Specify authentication methods to be tried in case of failure (optional).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

14

Configure radius in the list of user session accounting methods (optional).

esr(config)# aaa accounting login start-stop <METHOD 1>
[ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

15

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

16

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

17

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 9.

1

Set the DSCP code global value for the use in IP headers of TACACS server egress packets (optional).

esr(config)# tacacs-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63.

2

Set the global value of the interval after which the router assumes that the TACACS server is not available (optional).

esr(config)# tacacs-server timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Add TACACS server to the list of used servers and switch to its configuration mode.

esr(config)# tacacs -server host
{ <IP-ADDR> | <IPV6-ADDR> } [ vrf <VRF> ]

esr(config-tacacs-server)#

<IP-ADDR> – TACACS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – TACACS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

4

Specify the number of failed authentication attempts to block the user login and time of the lock (optional).

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

5

Set the password for authentication on remote TACACS server.

esr(config-tacacs-server)# key ascii-text  { <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

6

Set the port number to communicate with remote TACACS server (optional).

esr(config-tacacs-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 49 for TACACS server.

7

Set the priority for using a remote TACACS server (optional).

esr(config-tacacs-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

8

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted TACACS packets.

esr(config-tacacs-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IF> – interface specified in form given in the Types and naming procedure of router interfaces section of CLI command reference guide.

<TUN> – tunnel name specified in form given in the Types and naming procedure of router tunnels section.

10

Set TACACS as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME><METHOD 1>
[ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

11

Set the method for iterating over authentication methods (optional).

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

12

Configure the list of CLI commands accounting methods (optional).

esr(config)# aaa accounting commands stop-only tacacs

13

Configure tacacs in the list of user session accounting methods (optional).

esr(config)# aaa accounting login start-stop <METHOD 1>
[ <METHOD 2> ]

<METHOD> – accounting methods:

• tacacs – session accounting by TACACS;
• radius – session accounting by RADIUS.

14

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

15

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 7.

16

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 8.

1

Specify basic DN (Distinguished name) which will be used when searching for users.

esr(config)# ldap-server base-dn <NAME>

<NAME> – basic DN, set by the string of up to 255 characters.

2

Set the interval after which the router assumes that the LDAP server is not available (optional).

esr(config)# ldap-server bind timeout <SEC>

<SEC> – time interval in seconds, takes values of [1..30].

Default value: 3 seconds.

3

Specify the DN (Distinguished name) of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-dn <NAME>

<NAME> – DN of a user with administration rights, set by the string of up to 255 characters.

4

Specify the password of a user with administrator rights, under which authorization will take place on the LDAP server when searching for users.

esr(config)# ldap-server bind authenticate root-password ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string [8..16] ASCII characters;

<ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

5

Specify a class name of the objects among which it is necessary to search for users on LDAP server (optional).

esr(config)# ldap-server search filter user-object-class <NAME>

<NAME> – object class name, set by the string of up to 127 characters.

Default value: posixAccount.

6

Specify the user search scope in LDAP server tree (optional).

esr(config)# ldap-server search scope <SCOPE>

<SCOPE> – user search scope on LDAP server, takes the following values:

• onelevel – search through the objects on the level following a basic DN tree in LDAP server tree;
• subtree – search through all objects of basic DN subtree in LDAP server tree.

Default value: subtree.

7

Specify the interval after which the device assumes that LDAP server has not found users entries satisfying the search condition (optional).

esr(config)# ldap-server search timeout <SEC>

<SEC> – time interval in seconds, takes values of [0..30]

Default value: 0 – device is waiting for search completion and response from LDAP server.

8

Specify an attribute name of the object which is compared with the name of the desired user on LDAP server (optional).

esr(config)# ldap-server naming-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: uid.

9

Specify the object attribute name which is compared with the name of a desired user on LDAP server (optional).

esr(config)# ldap-server privilege-level-attribute <NAME>

<NAME> – object attribute name, set by the string of up to 127 characters.

Default value: priv-lvl

10

Set the DSCP code global value for the use in IP headers of LDAP server egress packets (optional).

esr(config)# ldap-server dscp <DSCP>

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value: 63

11

Add LDAP server to the list of used servers and switch to its configuration mode.

esr(config)# ldap -server host { <IP-ADDR> | <IPV6-ADDR> }
[ vrf <VRF> ]

esr(config-ldap-server)#

<IP-ADDR> – LDAP server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255]

<IPV6-ADDR> – LDAP server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF]

<VRF> – VRF instance name, set by the string of up to 31 characters.

12

Specify the number of failed authentication attempts to block the user login and time of the lock (optional)

aaa authentication attempts max-fail <COUNT> <TIME>

<COUNT> – amount of failed authentication attempts after which a user is blocked, takes the values of [1..65535];

<TIME> – user blocking time in minutes, takes the values of [1..65535].

Default value:

<COUNT> – 5; <TIME> – 300

13

Set the port number to communicate with remote LDAP server (optional).

esr(config-ldap-server)# port <PORT>

<PORT> – number of TCP port to exchange data with a remote server, takes values of [1..65535].

Default value: 389 for LDAP server.

14

Prioritize the use of a remote LDAP server (optional).

esr(config-ldap-server)# priority <PRIORITY>

<PRIORITY> – remote server priority, takes values in the range of [1..65535].

The lower value, the higher the priority of server is.

Default value: 1.

15

Set IPv4/IPv6 address that will be used as source IPv4/IPv6 address in transmitted LDAP packets.

esr(config-ldap-server)# source-address { <ADDR> | <IPV6-ADDR> }

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – source IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

<IF> – interface specified in form given in the Types and naming procedure of router interfaces section of CLI command reference guide.

<TUN> – tunnel name specified in form given in the Types and naming procedure of router tunnels section.

17

Set LDAP as authentication method.

esr(config)# aaa authentication login { default | <NAME> }
<METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters.

Authentication methods:

• local – authentication by local user base;
• tacacs – authentication by TACACS server list;
• radius – authentication by RADIUS server list;
• ldap – authentication by LDAP server list.

18

Set LDAP as authentication method of user privileges elevation.

esr(config)# aaa authentication enable <NAME>
<METHOD 1> [ <METHOD 2> ] [ <METHOD 3> ] [ <METHOD 4> ]

<NAME> – list name, set by the string of up to 31 characters;

• default – default list name.

<METHOD> – authentication methods:

• enable – authentication by enable passwords;
• tacacs – authentication by TACACS;
• radius – authentication by RADIUS;
• ldap – authentication by LDAP.

19

Set the method for iterating over authentication methods.

esr(config)# aaa authentication mode <MODE>

<MODE> –  options of iterating over methods:

• chain – if the server returned FAIL, proceed to the following authentication method in the chain;
• break – if the server returned FAIL, abandon authentication attempts. If the server is unavailable, continue authentication attempts by the following methods in the chain.

Default value: chain.

20

Switch to the corresponding terminal configuration mode.

esr(config)# line <TYPE>

<TYPE> – console type:

• console – local console;
• ssh – secure remote console.

22

Activate user login authentication list.

esr(config-line-console)# login authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 14.

22

Activate authentication list of user privileges elevation.

esr(config-line-console)# enable authentication <NAME>

<NAME> – list name, set by the string of up to 31 characters. Created in step 15.

1

Define DNS server IP address used for DNS names resolution.

esr(config)# domain name-server <IP>

<IP> –  IP address of DNS server being used, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

2

Enable DNS name resolution on the device.

esr(config)# domain lookup enable

3

Create IPS/IDS security policy.

esr(config)# security ips policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters.

4

Specify policy description (optional).

esr(config-ips-policy)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

5

Create IP addresses lists which will be used during filtration.

esr (config)# object-group network <WORD>

esr (config-object-group-network)# ip prefix <ADDR/LEN>

<WORD> – server name, set by the string of up to 32 characters.

<ADDR/LEN> – subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

6

Specify the IP address profile that IPS/IDS will protect.

esr(config-ips-policy)# protect network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – protected IP addresses profile name, set by the string of up to 32 characters.

7

Specify the profile of IP addresses that are external for IPS/IDS (optional).

esr(config-ips-policy)# external network-group <OBJ-GROUP-NETWORK_NAME>

<OBJ-GROUP-NETWORK-NAME> – external IP addresses profile name, set by the string of up to 32 characters.

8

Create a content filter category profile.

esr(config)# object-group content-filter <NAME>

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

9

Set the description of the content filter categories profile (optional).

esr(config-object-group-content-filter)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

10

Set the content filtering category provider.

esr(config-object-group-content-filter)# vendor <CONTENT-FILTER-VENDOR>

<CONTENT-FILTER-VENDOR> – name of the content filtering category provider. In the current version of the software, only Kaspersky Lab can act as a content filtering category provider.

11

Set the necessary categories of content filtering.

esr(config-object-group-cf-kaspersky)# category <CATEGORY>

<CATEGORY> – category name. A description of the available categories can be found in the CLI command reference.

12

Switch to the IPS/IDS configuration mode.

esr(config)# security ips

13

Assign IPS/IDS security policy.

esr(config-ips)# policy <NAME>

<NAME> – security policy name, set by the string of up to 32 characters.

14

Use all ESR resources for IPS/IDS (optional).

esr(config-ips)# perfomance max

By default, half of the available processor cores are allocated for IPS/IDS.

15

Set remote server parameters for sending IPS/IDS service statistics in EVE format (elasticsearch) (optional).

esr(config-ips)# logging remote-server { <ADDR> | <IPV6-ADDR> } [ <TRANSPORT> ] [ <PORT> ] [ source-address { <SRC-ADDR> | <IPV6-SRC-ADDR> } ]

<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<TRANSPORT> – data transfer protocol, by default is UDP, takes the following values:

• TCP – data transfer via TCP;
• UDP – data transfer via UDP.

<PORT> – number of sender TCP/UDP port, takes values of [1..65535], by default is 514;

<SRC-ADDR> – IPv4 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv4 address of the interface from which the packets are sent;

<IPV6-SRC-ADDR> – IPv6 address of the router that will be used as the source IP address in the sent syslog packets. By default – the IPv6 address of the interface from which the packets are sent.

17

Enable IPS/IDS.

esr(config-ips )# enable

18

Enable IPS/IDS on the interface.

esr(config-if-gi)# service-ips enable

19

Specify a name and enter the configuration mode of the set of user rules.

esr(config)# security ips-category user-defined <WORD>

<WORD> – user rule set name, set by the string of up to 32 characters.

20

Define a description of a set of user rules (optional).

esr(config-ips-category)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

21

Create a rule and switch to its configuration mode.

esr(config-ips-category)# rule <ORDER>

<ORDER>  – rule number, takes values of [1..512].

22

Specify rule description (optional).

esr(config-ips-category-rule)# description <DESCRIPTION>

<DESCRIPTION> – description, set by the string of up to 255 characters.

23

Specify the given rule force.

esr(config-ips-category-rule)# action { alert | reject | pass | drop }

• alert – traffic is allowed and the IPS/IDS service generates a message;
• reject – traffic is prohibited. If it is TCP traffic, a TCP-RESET packet is sent to the sender and recipient, for the rest of the traffic type, an ICMP-ERROR packet is sent. IPS/IDS service generates a message;
• pass – traffic transfer is permitted;
• drop – traffic is prohibited and the IPS/IDS service generates a message.

24

Set the IP protocol to HTTP.

esr(config-ips-category-rule)# protocol http

25

Set sender IP addresses for which the rule should work.

esr(config-ips-category-rule)# source-address
{ip <ADDR> | ip-prefix <ADDR/LEN> |  object-group <OBJ_GR_NAME> | policy-object-group  { protect | external } | any }

<ADDR> – sender IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – sender IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains sender IP address, set by the string of up to 31 characters.

• protect – sets sender addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as sender addresses.

When specifying the 'any' value, the rule will be triggered for any source IP address.

26

Set the profile of source TCP ports for which the rule should work.

esr(config-ips-category-rule)# source-port {any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of sender TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – sender TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will work for any sender TCP/UDP port.

27

Set destination IP addresses for which the rule should trigger.

esr(config-ips-category-rule)# destination-address
{ip <ADDR> | ip-prefix <ADDR/LEN> | object-group <OBJ_GR_NAME> |
policy-object-group { protect | external } | any }

<<ADDR> – recipient IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<ADDR/LEN> – recipient IP subnet, defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and LEN takes values of [1..32].

<OBJ_GR_NAME> – name of IP addresses profile that contains recipient IP address, set by the string of up to 31 characters.

• protect – sets recipient addresses, protect addresses defined in IPS/IDS policy;
• external – sets external addresses defined in IPS/IDS policy as recipient addresses.

When specifying the 'any' value, the rule will work for any sender IP address.

28

Set the profile of destination TCP ports for which the rule should trigger.

Normally TCP port 80 is used for the http protocol.

In cases where web servers are used on non-standard ports need to write these ports too.

esr(config-ips-category-rule)# destination-port  {any | <PORT> | object-group <OBJ-GR-NAME> }

<PORT> – number of destination TCP/UDP port, takes values of [1..65535].

<OBJ_GR_NAME> – recipient TCP/UDP ports profile name, set by the string of up to 31 characters.

When specifying the 'any' value, the rule will be triggered for any source TCP/UDP port.

29

Set traffic direction for which the rule should trigger.

esr(config-ips-category-rule)# direction { one-way | round-trip }

• one-way – traffic is transmitted in one direction.
• round-trip – traffic is transmitted in both directions.

30

Define the message that IPS/IDS will record to the log when this rule will trigger.

esr(config-ips-category-rule)# meta log-message <MESSAGE>

<MESSAGE> – text message specified by a string of up to 129 characters.

31

Assign a content filter category profile

esr(config-ips-category-rule)# ip http content-filter <NAME>

<NAME> – name of the content filtering profile, specified as a string of up to 31 characters.

any – rule will trigger for http sites of any category.

32

Activate a rule.

esr(config-ips-category-rule)# enable